Audit Focus Area: Tribal Knowledge

Sidney Vianna

Post Responsibly
One of the options for dealing with risk is to accept it. If management:

- is aware of the risk
- believes it to be insufficient to require action
- and has evidence/rationale for why it is unlikely to affect product conformity or customer satisfaction
While I fully agree that it is up to each organization to manage it's risks, let's remember that, rightly or wrongly, customers require suppliers to be ISO 9001 certified as a risk mitigation approach as well. If the supplier has a huge risk appetite and undeservedly attains and maintains their ISO 9001 certificate, then the supplier's and their customer expectations about the supplier risk taking are at odds.

I've already said here that a 3[sup]rd[/sup] party auditor should not be attempting to micromanage a registrant's appetite for risk, but, if the assessment can not question any decision by the suppliers' management what is the point of assessing the system?
If the external auditor and the registrant are working TOGETHER, in a collaborative approach, the identification of focus areas must be a joint undertaking, never an unilateral decision by the CB auditor.
Last edited:
Top Bottom